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We present a quantum algorithm for computing the period lattice of in- 
frastructures of fixed dimension. The algorithm applies to infrastructures that 
■ satisfy certain conditions. The latter are always fulfilled for infrastructures ob- 

tained from global fields, i.e., algebraic number fields and function fields with 
finite constant fields, as described in [Fonllj . 

The first of our main contributions is an exponentially better method for 
sampling approximations of vectors of the dual lattice of the period lattice than 
the methods outhned in the works of Hallgren and Schmidt and Vollmer. 
This new method improves the success probability by a factor of at least 2" 
where n is the dimension. The second main contribution is a rigorous and 
complete proof that the running time of the algorithm is polynomial in the 
logarithm of the determinant of the period lattice and exponential in n. The 
third contribution is the determination of an explicit lower bound on the success 
probability of our algorithm which greatly improves on the bounds given in the 
above works. 

The exponential scaling seems inevitable because the best currently known 
methods for carrying out fundamental arithmetic operations in infrastructures 
obtained from algebraic number fields take exponential time. In contrast, the 
problem of computing the period lattice of infrastructures arising from function 
fields can be solved without the exponential dependence on the dimension n since 
this problem reduces efficiently to the abelian hidden subgroup problem. This 
is also true for other important computational problems in algebraic geometry. 
The running time of the best classical algorithms for infrastructures arising 
from global fields increases subexponentially with the determinant of the period 
lattice. 
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1 Introduction 



1.1 Informal definition of an infrastructure and the prob- 
lem of computing the period lattice 

An n-dimensional infrastructure X is a finite set of distinguislied points on an 
n-dimensional torus M"/A, where A is a lattice of full rank in R". To every 
of these finitely many distinguished points, we assign a region on the torus, 
so that every point on the torus lies in exactly one such region. If x is such 
a distinguished point, every point y in this region can be represented by the 
difference t := y — x together with the pair {x,t). These tuples {x,t) 

are essentially the /-representations of the infrastructure. Infrastructures can 
be obtained, for example, from global fields, i.e., from algebraic number fields 
as well as function fields with finite constant fields; in this case, the lattice 
corresponds to the free part of the unit group. We explain later that such 
infrastructures satisfy all assumptions we make on infrastructures in this paper. 

We present a quantum algorithm for computing the period lattice A of in- 
frastructures of fixed dimension n and provide; a rigoroiis and detailed proof of 
its performance. We focus our attention on non-discrete infrastructures. An in- 
frastructure is called discrete if its period lattice is integral and the coordinates 
of the distinguished points are integral (or more generally, if everything can be 
made integral by a suitable rescaling). Discrete and non-discrete infrastructures 
arise from function fields and number fields, respectively. The problem of com- 
puting the period lattice of discrete infrastructures is easy since this problem 
can be solved by using the same approach as for the abelian hidden subgroup 
problem. The reason is that the quantum algorithm for solving the abelian HSP 
can also be viewed as computing a hidden lattice in Z". 

1.2 Intuition behind the quantum algorithm and brief sum- 
mary of new contributions 

The idea behind the quantum algorithm for computing the period lattice of a 
(non-discrete) infrastructures is a follows. It is possible to define a function from 
the window V = {0, . . . , qN — 1}" c into a certain finite set, whose elements 
are related to /-representations, so that 

V — 

f{v) = f{v') ^ K, A for some A e A. 

In words, there is a collision iff the two values v and v' differ approximately by 

an integer multiple of a lattice vector of the period lattice. This implies that 
the elements of the preimage f~^{v) have the special form 

where A G A and S^x is a certain error vector from (—1,1)" such that v' G 
V. Moreover, for a constant fraction of v the cardinality of the corresponding 
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preimage is / ^{v) is close to gj^p^, which corresponds to the natural density 
of the lattice A in M". 

We prove that such function / exists and can always be evaluated correctly 
at all points of V with constant probability. Our analysis takes into account the 
special nature of the shapes of the regions of the distinguished points and the 
way how these regions interlock with each other. This analysis closes a gap in 
the work [HalOSj . The works |SV05| ISch07| chose a different approach. They 
showed that it is not necessary that the function / can always be evaluated 
correctly. However, their resulting analysis leads to a significantly worse overall 
running time. 

Efficiency means here that we can evaluate this function in time that is 
polynomial in the logarithm of the determinant of the period lattice A and ex- 
ponential in the dimension n. This exponential scaling seems inevitable because 
the best methods for carrying out fundamental arithmetic operations in such 
infrastructures take exponential time. 

Following the quantum algorithm for the abelian HSP, we start by evaluating 
the function / in superposition over the window V and measuring the output 
register. The resulting post-measurement state is a "pseudo-periodic" state, i.e., 
a uniform superposition of the above v' . It is important that this superposition 
contains sufficiently many values of the form v' . The pseudo-periodic state 
corresponds to a uniform superposition of a randomly translated rectangular 
portion of the rescaled lattice A^A such that only few of its points are missing 
and the remaining points are only slightly perturbed. We present a new method 
for precisely analyzing the probability of obtaining a pseudo-periodic state with 
sufficiently values of the v' . This analysis also closes a gap in the work [HalOSj . 

Similarly to the situation in the abelian HSP, we effectively remove the 
undesired random offset v by applying a multidimensional quantum Fourier 
transform. This allows us to sample approximations of lattice vectors of the 
dual lattice A* . To mitigate the perturbations effects caused by the error vectors 
^A, we have to perform the quantum Fourier transform over a larger window W. 
But this comes at the price of an exponential decay of the success probability 
with increasing dimension n. The idea to use a larger window goes back to 
|Hal05j and [SVOSI ISch07j . We obtain here a new better method for sampling 
approximations improving the success probability by the exponential factor 2"~^ 
compared to the less efficient methods in |Hal05] and [SV05| ISch07| . This is not 
just an improvement in the analysis, but an improvement of the algorithm. 

We present lattice and group theoretic results, making it possible to prove 
that 2n + 1 approximations obtained by the above sampling process form an 
approximate generating set of A* with constant probability for fixed dimension. 
No such bound on the number of required samples was proved in the previous 
works. Once we have such approximate generating set, we recover an approxi- 
mate basis of A*. We describe an improved method for this purpose. We then 
determine an approximate basis of A from such approximate basis of A* . 

Finally, we discuss in detail how to choose all parameters to obtain an ap- 
proximate basis of the period lattice A that has the desired approximation 
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quality. We obtain an explicit lower bound on the success probability of our 
algorithm, which reveals precisely how the complexity depends on the various 
parameters. We compare this probability to the ones presented in the works 
of Schmidt and Vollmer and Schmidt and conclude that our probability is 
exponentially better by at least 2" The work of Hallgren gives no explicit 
probability. 

Note that in the one-dimensional case more specialized algorithms lead to a 
much better probability of success; see, for example, |Hal02l [5W11| . 

1.3 Efficient quantum algorithms for problems in arith- 
metic geometry 

We conclude the introduction with some comments on the existence of efficient 
quantum algorithms for certain computationally hard problems in algebraic ge- 
ometry. Readers not familiar with algebraic geometry may not be aware that 
many interesting problems can be reduced to the abelian HSP efficiently. The 
understanding of these reductions does require some specialized knowledge in 
algebraic geometry, but the necessary results are fairly standard. As noted pre- 
viously, infrastructures obtained from function fields are easier to handle than 
general infrastructures. As shown in Theorem 7.1 of [Fonllj . such infrastruc- 
tures embed in a natural way into the divisor class group of degree zero, which 
is a finite abelian group in the case of function fields with finite constant field. 
There are polynomial time classical algorithms to do arithmetic in this group, 
for instance, the "algebraic" algorithm by F. Hefi |Hes02| iDieOSj . Therefore, one 
can directly apply the standard algorithm for the abelian HSP |CM01] to com- 
pute the period lattice. Other important problems, such as determining discrete 
logarithms in the infrastructure, computing the whole divisor class group and 
the ideal class group, solving the principal ideal problem, as well as computing 
the Zeta function, can all be treated in the same way. The latter problem was 
solved in |Ked06| using this approach, while relying on a less efficient "geomet- 
ric" method based on the Brill-Noether algorithm to do arithmetic. 

Arithmetic geometry provides a unifying understanding and treatment of 
problems related to global fields. On the one hand, the discussion above shows 
that the algebro-geometric problems for function fields with finite constant fields 
(i.e., function fields of curves over finite fields) can be reduced to the abelian 
HSP. This presents an elegant and efficient quantum solution. On the other 
hand, the analysis of the quantum algorithms for the corresponding number- 
theoretic problems is significantly more challenging. We believe that our rigor- 
ous and improved treatment of the problem of computing the period lattice of 
non-discrete infrastructures can serve as a valuable starting point for address- 
ing other number-theoretic problems and also finding more efficient quantum 
algorithms for them. A first stepping stone is our new method for sampling 
approximations of vectors of the dual lattice, which improves the success prob- 
ability by an exponential factor. 
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2 Formal definition of an infrastructure 



An n- dimensional infrastructure T consists of 

• a lattice A of full rank, called the "period lattice, 

• a finite non-empty set X. an injectivo map d : X — )■ R"/A, and 

• a set of f -representations Rep^(I), i.e., a subset Rep^(I) C AT x M" with 
X X {0} C Rep/ (I) such that the function 

#1 : Rep/ (J) ^ R"/A, (cc, ^ d(x) + 1 

is a bijection. 

Such a set of /-representations yields a reduction map red : IR"/A — >• A sat- 
isfying red($x(a;, i)) = a; for all e Rep/(T), as well as a giant step op- 
eration gs : A X A ^ A by gs(.7:. y) = rcd(d(.x') + d(y)). Note that the set of 
/-representations has a natural group structure using the pull-back of the group 
operation of IR"/A via {x, t) + (a;', t') := $^^(«>i(a;, t) + t')). 

Given such a set of /-representations, we can unroll the infrastructure. Let 
77 : M" — >■ IR"/A be the canonical projection, and set 

A:=7r-i(d(A)). 

This is a discrete non-empty subset of M" satisfying A-|-A = X. Define d{x) = x 
for all X e A and 

% := {Hx)+t\ {<r\'K{x)),t) e Rep/ (I)} 

for every x € X. Then M" is the disjoint union of all V^, f e A, and one can 
define red : M" ^ A by rcd(u) = .t if w G V^. 

The unrolled infrastructure is periodic with period lattice A in the sense 
that for f e A, f e ffi" and A e A, we have x + \ & X, %+\ = -|- A, 
red(t; -|- A) = red(w) -I- A and d(x -|- A) = d(x) -|- A. Moreover, 7r(f ) = ^{y) for 
x,y G X if, and only if, y — x e A. 

For s,t e R", we write [s,t] for {r e R" | s < r < t}, where "<" denotes 
the component- wise inequality on R" . We say that a subset U C R" is cornered 
with corner s G R" if s e 17 and for every t £ U, t £ [s,t] C U. In other words, 
?7 = Utec/[*'^]- Note that every cornered subset of R" has exactly one corner, 
which is its minimal element with respect to <. We say that I is cornered if for 
all X e A, 14 is cornered with corner x. 

We make the following assumptions: 

Al) There exists a constant A > such that for every x e A, 

%cx+[o,Ar. 
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A2) There exist constants C,D > such that for every r S K", the set 

(r+ [o,c]")nx 

contains at most D elements. 

A3) There exists a polynomial-time algorithm such that for given A: e N and 
u e Z", one can compute {x,t) E X x such that 

(a) + i — 2^''u||^ < 2^'^ for some x e X with d^"^(7r(2:)) — x; 

(b) (2-''^u + (-2-^ 2-'=)") n 7^ 0. 

The running time is polynomial in k and log when the dimension n 

is held constant. 

Proposition 2.1. Let K be a global field. Then any infrastructure obtained 
from K in the sense of \Fonll[ Section 6] has f -representations in a natural 
way and is cornered. Moreover, it satisfies Al) to A3) with explicit constants 
A,C,D: 

If K is a number field of discriminant A and degree d — [K : ^}\, then one 
can choose A = ilog|A|, C — log 2 and D — 4''. // K is a function field of 
genus g and degree d = [K : k{x)\, then one can choose A = g + d—l,C=l — e 
for any e € (0, 1), and D = I. 

Sketch of Proof. Assume that the infrastructure is T = (X",d",red") in the 
notation of |Fonll| . Here, a is an ideal of the ring of integers O (or the ring of 
holomorphic functions in case X is a function field), and X" is essentially the 
set of reduced ideals equivalent to a. If |»|;^, . . . , are the pairwise different 

absolute values of K, we define A :— {(log |£|^, . . . , log |e|„) \ e G O*}, which is 
isomorphic to the free part of the finitely generated abelian group O* of units 
of O. The definition of /-representations is rather technical, whence we do not 
repeat it here, but just refer to Definition 6.3 of |Fonll) . For every x G X, 

% = x+W{d-^{Ti{x))), where W{x) = {t e M" | (x,t) e Rep^ (a)} for x e X. 

It is clear from Definition 6.3 in |Fonll| that W{x) is cornered with corner 0. 
Hence, I is a cornered infrastructure. Our assumption Al) follows from Propo- 
sition 8.1 of |Fonll| . The second assumption A2) holds trivially for function 
fields; for number fields, it follows from Lemma 3.2 in |Buc87bj . 

Assumption A3) will be discussed in an upcoming paper of the first author 
and M. J. Jacobson, Jr. In the case of function fields, the algorithms are of 
polynomial running time with respect to the genus of the function field as well 
as the size of its representation. In the case of number fields, the algorithms 
are polynomial with respect to the logarithm of the discriminant of the number 
field, but exponential in its degree d = [K : Q], a.s one has to find shortest 
vectors in lattices of dimension d. □ 
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Note that the algorithm we plan to use for A3) is exponential in n, but 
significantly more efficient than the algorithms that were proposed in |Hal05] 
and |SV05j . These are based on |Thi95al Chapter 5 and 6], which essentially 
uses Buchmann's baby step algorithm |Buc87al IBuc87c| . The latter is known 
for being practically unusable [BJP94] . Even on modern computers, computing 
all minima of one reduced ideal can take a long time for not too large number 
field degrees, say [K : Q] = 8 (which yields n — 7); the first author verified this 
in 20f when implementing that algorithm. 

Note that Schoof's Algorithm 10.7 in |Sch08j is also mentioned in |Hal05j as 
a more efficient alternative to Buchmann's algorithm. Unfortunately, Schoof's 
algorithm uses a different distance function from the one used by Hallgren and 
by us. Therefore, Schoof's algorithm cannot be applied without non-trivial mod- 
ifications if one wants to obtain a provably polynomial-time quantum algorithm 
for computing the period lattice. 

Observe that A3) follows from the existence of two simpler algorithms. Be- 
fore we list these, we need to define what an "approximate /-representation of 
error at most e" of a point r e M" is. This is a pair {x, t) £ X x M" satisfying 

(a) ||x + i — r||^ < e for some x £ X with d^^{TT{x)) = x; 

(b) (r + (-£,£))" n 14^0, 

Now we can describe the characteristics of the two simpler algorithms, which 
can be combined to obtain such an algorithm as described in A3): 

(a) one algorithm which, given ^ e N and r € 2~^{-2^,-2^ -I- 1, . . . ,2^}" C 
[—1, 1]", computes an approximate /-representation (a;,i) of error at most 
2~^ such that ||d(x) + 1 — r\\^ < 2^^ in time polynomial in £; 

(b) a second algorithm which, given two approximate /-representations of error 
at most 2^ , computes an approximate /-representation of their sum of error 
at most 2^ +^ in time polynomial in £' . 

One can compute an approximate /-representation of any r G M" of error at 
most 2~*^ in time polynomial in log \ \r\\^ and k. This is done by using a double 
and add technique and by calling these algorithms to obtain approximate /- 
representations of error at most 2"'^'^+'^ \ where k' = 0(log ||?'||oo)- 

The formal definition of the problem of computing the period lattice is as 
follows. 

Definition 2.2. Given 7 G (0, 1), the task is to find Ai, . . . , A„ G R" such that 
there exists a basis Ai , . . . , A„ of A with 

||Aj - Xjh < 1 

for J = 1, . . . , n. We call such Ai, . . . , A„ a ^-approximate basis of A. 

We present a quantum algorithm with running time polynomial in log det(A) 
and log(f/7) when A,1/C,D and f/Ai(A) can be bounded polynomially in 
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terms of logdet(A). Here, Ai(A) denotes the first consecutive minimum of A, 
i.e., the length of a shortest non-zero vector in A. Note that for number fields, 
Ai(A) can be bounded from below by a bound depending only on n; see Satz 5.6 
in |Buc87c) . 

In the case of computing units of a global field, computing a 7-approximate 
basis of A yields approximations of the logarithms of the absolute values of the 
units. These approximations can be refined to arbitrary precision in polynomial 
time. Note that one can also relatively efficiently recover the corresponding 
units themselves; since their representation is not of size polynomial in the 
genus respectively logarithm of the discriminant, explicitly computing them 
cannot be done in polynomial time. What can be done is computing a so- 
called compact representation of a unit, which was presented for number fields in 
|Thi95al IThiQSb] and for function fields in |EH12j ; one can modify the quantum 
algorithm to output such compact representations of the units and still run in 
polynomial time. 

Finally, we want to mention that our algorithm can be interpreted as an 
algorithm for solving certain instances of a Hidden Subgroup Problem for the 
group G = R" provided that the group operation in Rep-''(X) is effective. In case 
the infrastructure is obtained from a global field as in the above proposition, 
the group operation is effective and is described explicitly in Theorem 7.3 of 
[Fonllj . 

Now one can consider the group homomorphism / : R" Rep^(X) as the 
composition of the canonical projection tt : R" — >■ E"/A with This map 

can be effectively computed - ignoring rounding and approximation issues - and 
it hides the lattice A by ker / = A. 

3 Detailed outline of the quantum algorithm and 
new contributions 

Let iV e N and s E M" be fixed. Consider the function 

/ : R" ^ X X Z", v^{x, lNt\) a ^^\Tr{s + j^v)) = {x,t). 

If f{v) — f{v') for V, v' e Z", then v ~ v' lies close to an element of A^A. We 
want to use the quantum computer to find such collisions. 

LetV = {0,...,qN - 1}" and W = {0, . . . , 2nqN - 1}" where q and N are 
positive integers that will be fixed later. Set V = |V| and W = |yV|. The input 
register is = (^C^""?^) The output register is with d sufficiently large 
so it can store any element of the image /(V). In the following we use / to 
denote the restriction of / to V. We assume that we have a reversible version 
Uf oi f that acts on the above input and output registers. 
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Algorithm 



1 



We start by preparing the state 



1 



Note that we evaluate / only on the subset V of W. 

2. We measure the output register and denote the outcome by /(w) for some 
w G V. The post- measurement state is then 



where := {w' e V | /(«') = /(i;)} and M = \M\. 

3. We apply the n-fold tensor product of the quantum Fourier transform of 
size 2nqN on the input register and obtain the state 



where • denotes the inner product on M". 

4. Finally, we measure the input register and denote the outcome by w. 

This quantum procedure is repeated 2n + 1 many times to obtain the samples 
wi, . . . , W2n+i- A subsequent classical post-processing step makes it possible to 
extract an approximate basis of A from these samples with a probability that 
can be bounded from below by a positive constant. 

Organization of the paper and outline of technical results 

In Sectional we prove that with constant probability all evaluation points v/N+ 
s {v G V) are sufficiently far away from the boundary of Vx for all x E X. This 
is achieved by choosing the shift s uniformly at random from a certain finite 
set. This ensures that we can compute f{v) correctly for all w e V even though 
we may only determine approximate /-representations. 

In Section[5l we show that the probability for post-measurement states being 
periodic states can be bounded from below by a constant. Roughly speaking, 
a periodic state corresponds to a (randomly) translated and perturbed finite 
portion of the lattice NA that may be missing some points. In particular, we 
establish a lower bound on M showing that not too many points are missing in 
the superposition. 

To derive the results in SectionsH]and[Sl it is absolutely indispensable to take 
into account that the infrastructure is cornered. Relying only a lower bound on 
the minimal distance between two elements of X is not sufficient because the 
union of e-neighborhoods of the boundaries of of all i G X could still fill out 
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too much of R". In the one-dimensional case, the regions Vx are intervals. In 
contrast to that, in the n-dimensional case, their shapes can take on much more 
complicated forms. This makes the analysis more difficult. This problem was 
mentioned, but not resolved in [Hal05] . while in |SV051 ISch07] . this problem 
was solved differently by relaxing the conditions of the quantum algorithm on 
the function /. 

In Section [6l we show that the last step of the above quantum procedure 
yields an approximation of an element of the dual lattice A* = {A* S K" | VA G 
A : (A* , A) e Z} with a certain probability. It becomes essential here that the 
Fourier transform is taken over the larger window W, while / is only evaluated 
inside V. This makes it possible to mitigate the perturbation effects. 

More precisely, we determine a lower bound on the probability the outcome 
w obtain in the final step is contained in the set TZx* , where 

7^A• := |(wi,...,u;„) Wk G {[2ngA^J, l2nqXl\ + 1} for fc = 1, . . . , n| 



and A* = (A^, . . . , A*) G A*. Such elements yield good approximations of A* 
since 

2nq 



1 

< 



2 l^pnq 
for all w e T^x* . 

The works [Hal05] nor |SV05[ ISchOT] consider only elements of the more re- 
strictive form [2ngA*], where [u] means that we round each coefficient of u G M" 
to the closest integer. This is why our method improves the success probability 
of obtaining a single good approximation by the exponential factor 2"~^. It can 
be shown that at least n + 1 samples are needed so our method provably leads 
to an overall improvement of the success probability by the factor 2" ~^ . 

In Section [71 we present lattice and group theoretic results, yielding a lower 
bound on the probability that n lattice vectors drawn uniformly at random 
from L n [0, 6)" and rt + 1 lattice vectors drawn uniformly at random from 
L n [0, 5o)" generate together the entire lattice L, where L is a full-rank lattice 
in M" and 6 < 5o are sufficiently large. Neither [HalOSj nor |SV05l[Sch07] provide 
an explicit and proven upper bound on the complexity of generating a lattice 
by drawing samples. But this is a crucial result, directly affecting the success 
probability of the algorithm. 

In Section [H we specialize these lattice-theoretic results to L := A* and 
present an explicit lower bound on the probability that the 2?i -I- 1 samples 
wi, . . . , win+\ output by our quantum algorithm yield an approximate generat- 
ing set for the dual lattice A*. 

In Section [HI we first present technical results based on |BK93j showing how 
to construct an approximate basis of L from an approximate generating set of 
L. Then, we show how to recover an approximate basis of the dual lattice L* 
from the previously determined approximate basis of L. 

Finally, in Section [TOl we combine all results from the previous sections and 
show to find an approximate basis for the period lattice A. We explain in detail 
how to choose all parameters. We also bound the success probability of our 
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algorithm from below. There is a classical method for checking whether the 
computed basis vectors are indeed close to elements of A. If that is the case, we 
have computed A with a high probability. 

Unfortunately, the success probability of this algorithm decreases exponen- 
tially in the dimension n of the infrastructure. This is a common problem of 
such algorithms which also applies to the algorithms described in |Hal05] and 
|SV05| (see also |Sch071 p. 122]). However the success probability of our algo- 
rithm decreases less rapidly than that of the previous works. It is better by the 
exponential factor 2" 

4 Computing the function / that hides the pe- 
riod lattice A 

We consider a computable version / of / and show under which conditions 
f{v) = f{v) holds for alivGV with high probability. Recall that v corresponds 
to the point s + j^, where s is a random offset. We show that if s is chosen 
uniformly random at random from a certain finite set, then with high probability 
none of these evaluation points u :— s + j^v (for w e V) falls into regions in 
which the method A3) may return a result that leads to a wrong evaluation of 
f{v). 

Let w e V yield f(v) = (a;, [Nt\) with (x,t) = {tt{u)) . Let £ e X with 
u € Vx] then t:{x) = d{x) and u — x = t. If w is sufficiently far away from dVx, 
then the oracle in A3) returns the correct x & X. Moreover, \it = (ii, . . . , t„) S 
R" has no coordinate which comes close to an integer multiple of then the 
coordinates of Nt are bounded away from integers and \_Nt\ = \_Nt'\ for all t' 
which are close enough to t. This ensures that the oracle in A3) outputs an 
approximation {x,t') of $^^(m) — [x,t) such that (x, \_Nt\) — {x, [Nt'\). 

A boundary point of I is a point u G M" such that every neighborhood of u 
contains points from at least two different Vx- Denote the set of all boundary 
points by H; then 

\J dVx- 

xex 

For a given e > 0, define the enhanced boundary 

H{e) if +[-£,£]". 

Observe that X C H C H{e) since by assumption all Vx are cornered sets with 
corner x. An example of how cornered sets could tile the plane is shown in 
Figure [TJ in which the enhanced boundary H{e) is highlighted. 

If u = s + jj- ^ H{e), then the oracle in A3) can be used to correctly compute 
the X part of f{v) = (x, \_Nt\). To ensure that the [A^tJ part of f{v) = (x, [A^tJ ) 
is also correctly computed, we need v to avoid a larger set. Formally, we define 

ifS"d(£) y ((^N" + ^Vx)C^V?j + [-£,£]". 
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Figure 1: Demonstrating the tiling of by cornered sets Vx, x G X. The 
enhanced boundary region H(e) is highhghted. 



Clearly, we have H{e) C HS"'i{e) for all TV > 1. An example of what HS"'i{e) 
may look like is shown in Figure [5] 

Lemma 4.1. Let L, N,q E N with L, N,q > 1 and e with < e < be given. 
Let 

5:=^{0,...,L-ir. 

For s E S, consider the shifted grid 

G{s) ■.= {s+±v\veV}. 

Assume that for some s ^ S we have G{s) H _ffS"d^g'j _ 0^ Then, this implies 
the following two conditions: 

1. For every w G V, there is exactly one x € X with Van(s + -^w+(— e,e)") ^ 
0. 

2. Let T := {< e R" I 3t) G V : $x^(s + j^v) = {x,t)}. Then, we have 

These conditions show that we can compute f correctly using A3) if the pre- 
cision used there is at most |; the first condition ensures that the x part 
of f{v) = {x, \_Nt\) can he computed exactly, and the second condition ensures 
that \_Nt\ is exact. 

Proof Observe that G{s) n = implies G(s) n H{e) = 0. We show 

that the latter implies the first condition of the lemma. The more general 
G{s) n _ffs'''^(e) = is needed to eliminate some sporadic cases in the second 
condition. 
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1. Since IJiex = ^" there must be at least one such x. Let x G X he 
one such element. In the case that s + j^v + (— £,e)" is not completely 
contained in Vx, the translated open disc s + j^v + (—£,£)" must contain 
some y € dV^. But this implies that G{s) 3 s + jjv G £,e]" C H{e), 
contradicting G{s) n H{e) — 0. Thus s + -^v + (—£,£)" C Vx and we are 
done. 

2. Assume that t ^ T can be written as i = -hw + e with w e N" and 



e 



TV' 

e [-£,£]", i.e., tern ([-£,£]" + ;^N"). As t e r there exists some 
u e G(s) with = i^it) a; e X. Let x £ X with u e t^; 

then u = X + j^w + e. But this yields u e + 914) n 14 + he, e]" 

and thus u e 77srid(-g)^ Hence, u e G(s) n FS"'i(£). □ 

We now determine a lower bound on the probability that the desired condi- 
tion G(s) n H^"'^{e) = holds when s is chosen uniformly at random in S and 
L is sufficiently large. 

Proposition 4.2. Let q,N £ N with q,N > 1 and p £ (0, 1) he given. Choose 
L and e such that 

^ ^ 2ni^(g + A + G + 2)" ^ 
-L > — and e < T^yrrr. 

(1 -p)G" - 2^-^ 

// we select s £ S uniformly at random, then 

Pr(G(s)n77S"d^e) =0) > p. 
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The main idea behind the proof of this proposition is a follows: while dVx 
for a single x can be difficult to describe, the union of all dV^, where x ranges 
over all x d X, has a much simpler structure. For instance, in the case of n = 2, 
i.e., in the plane, it suffices to consider only two faces of dVx, namely, the ones 
incident with x. Let us call these two faces the principal boundaries of Vx- 
Every boundary point is an element of a principal boundary of at least one Vx. 
The principal boundaries of some Vx from Figure [1] are shown in Figure [3] note 
that we capped off the ends of the principal boundaries to make it possible to 
distinguish between different principal boundaries. The corners of the sets are 
marked by large dots, and the principal boundaries by thick lines. The proof 
works by covering the principal boundaries by larger sets which are known to 
cover them - for this, we need assumption Al). 



Figure 3: Example showing the principal boundaries of some of the cornered 
sets of H from Figure [TJ The principal boundaries are depicted in black. We 
capped them in the figure to make clear to which corners they belong. 

Proof of Proposition \4-^ Define 

X' X r\[-A- e,q+l + s]"- 

F{s) := {s + Iz") n ( U dVx + [s, £]"). 

xex' 

We first show that F{s) = implies the desired condition G{s) (1 H^"'^{e) = 
and then bound the number of s in S' for which it may be the case that F{s) ^ 0. 

We prove the first part by considering the contraposition of the implication. 
Assume that some u S G(s) n H^"'^{e) exists. Then there exists some x G X 

and some e G [— e,e]" such that u — e G (;^N" + dVx) n Vx, and u = s + j^v 
with u e V = Z" n [0,qN - 1]". In particular, u € [0,q- and hence 

u — e e [-e, q + e]". 

We have Vx C x + [0,^]" since Vx is cornered with corner x and Al) holds. 
This implies x £ u — e — [0,A]" C [— e — A,q + e]" and hence x S X'. As 
u — e E -^N" + dVx, we can write u — e = b + jj'W with b E dVx and w E N". 
But this yields that b + e E F{s) and hence F{s) ^ 0. 
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Wc now bound the number oi s E S with F{s) ^ 0. For x E X, define 

H'{x,e,i) := + (^i, . . . , t„) | < < A + e, s <t,< e} 

and H'{x, e) :— lj"=i H'{x, e, i). This set H'{x, e) covers the enhanced principal 
boundaries of T4 ■ The observation on which this proof is based (see Figure [3]) 
can now be expressed by 

H{e)C [j H'{x,e), 

'lex 

which imphes 

F{s) C U i/'(x,e)n(s + ^Z"). 

We count the number of s for which it may be the case that H'{x,e) n (s + 
iZ") ^ for a fixed x, and then multiply this by an upper bound on the 
the number of elements in X' . This allows us to obtain the formula from the 
theorem statement. 

To obtain a upper bound on the cardinality \X'\, we use A2). Since X' is 
contained in at most blocks of size C, \X'\ < D- (2ii+i±2£ + i)" 

by A2). 

Now let X E M" be arbitrary. As e < 2Wl' there are at most 2L"~^ choices 
for s g 5 with H'{x, e, i) fl (s + ;^Z") ^ 0. This shows that there are at most 

bad choices for s E S, while \S\ = L". This, together with e < yields that 

the probability for G(s) n H{e) = is at least 

1 fq + A + 2 + CY 

Corollary 4.3. Let N,q E N with q,N >1 be given. Choose L and e such that 



AnPjq + A + C + 2y^ , ^ 1 a^ 
L > — and e < (I) 



// we select s E S uniformly random, then 

Pr(G(s) n irs"'i(e) 0) > i. 

This implies that we can compute f{v) correctly for all v E V and thus prepare 
the state 



in step 1 with probability greater or equal to i. 



16 



5 Preparing periodic states 



The original function o vr : R" K" /A Rep-'' (I) is perfectly periodic 
with period lattice A: if m G K" maps to {x,t) G Rep^(X), then u + X will also 
map to {x, t) for all A G A. 

Due to precision issues we have to work with the function / : Z" — > Rep^ (I) 
defined by w >-> [x, YNt\) if ($^^ o 7r)(s + j^v) = {x,t). As NX wiU most 
certainly not have integral coordinates for A G A, we cannot directly obtain 
the collision f{v) = f{v + iVA). And, if we round the coordinates of NX down 
or up to the nearest integers, it might happen that f{v + [-/VA]) yields an /- 
representation (x', [-/Vi'J) with x ^ x' - no matter to which integers we round 
the coordinates of iVA. 

The first proposition of this section establishes a lower bound on the fraction 
of grid points for which this problem does not occur. For these grid points, the 
corresponding /-representation [x, t) is sufficiently far away from the bound- 
aries, meaning that we remain in the same (translated) region Vx when adding 
a suitably rounded version of A^A. 

Similarly to the argument used in the proof of Proposition l4.2l in the previous 
section, we estimate the number of grid points lying in regions that are too close 
to the principal boundaries. The union of all such regions is denoted by H^°^^'^, 
An example for n = 2 is shown in Figure [4] with T/bound highlighted. 

Proposition 5.1. Assume that s £ S with H(e) n G(s) —% in the notation of 
the previous section. Consider T/^ound gj" _^_ Then 

|G(s)\Fb°"°'i| I nD{q+l + A + CY'{A + 2/N)''-^ 

\G{s)\ -^^N (CqT ■ 



V 



Figure 4: The region ijbound highlighted. For some of the cornered sets, the 
principal boundaries are shown. 



Proof. Clearly \G{s)\ = {Nqy\ The cardinality of G(s) n 71^°™^ ^^^^ 

mated by counting the number of cubes of the form (— ;^,0]" needed to cover 
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jyboundp[o,g]". FoT X G X , define 

H"{x,i) {x + iti,...,tn) I < <A,-^<U< 0} 
and X" X n [-A, q + 1]". Then 

n n 

C (J (Ji7"(x,i) and G(s) n 77'^°""^ C |J \Jh"{x,i). 

Now H"{x,i) can be covered by + such cubes, whence the total 

number of cubes needed is less or equal to 

\X"\-n- \NA + l'\''-\ 

As above, X" is contained in at most ( "^^g"^ + 1)" blocks of size C, whence 

\X"\<^{q + l + A + Cr. 



Therefore, 



1 n-l 



\G{s) n I + l + A + C)" - n- [A^A + iy 

We now give an explicit lower bound on N guaranteeing that the fraction of 
grid points not contained in T/bound sufficiently large. 

Corollary 5.2. We may assume w.l.o.g. that C < 1. Choose q and N such 
that 

(7>9max{l,A}, anrf A^>max|-, ^ '-^^ 1. (II) 

IfseSis such that 7JS"d(e) n G(s) = 0, then 

1 A , |G(s) \ 77*^°""'^ I , 1 
< — and ' ^ ,1, > 1 



N - A \G{s)\ - 4(n+ 1) 

Note that we can always decrease C without invalidating assumption A2). 



Moreover, the recommended choice of C in Proposition 12.11 for infrastructures 
obtained from function fields or number fields satisfies G < 1. 

Proof. Using N > the complement probability can be bounded by 



1 nD(g+l + A + G)"(A + 2/iV)"-i 

N (G(?)" 

^ 1 ni:>(l + l/g + A/g + G/g)"(A + A/2)"-i 

- N C" ■ 

As g > 9max{l, A}, we have l/q + A/q < |, and as G < 1, we have C/q < i. 
Therefore, l + l/q + A/q + C/q < 1 + ^ = ^, whence (1 + l/g + A/(? + G/g)"(l + 
< 2"-|. Finally, the choice of TV ensures that the complement probability 
is bounded by from above. □ 
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Let C X X N be the set of rounded /-representations. More precisely, it 
is defined by 

{x, k) eJ' iff there exists w € V with f{v) = {x, k) and s + i i^^ound^ 

Lemma 5.3. Choose q and N according to (II). Assume s ^ S is such that 
G{s) n -ff(e) — 0. Let {x,k) be the measurement outcome obtained in step 2 of 
the quantum algorithm. Then, 

Proof. For a fixed pair [x' ,k'), the probability that this pair is sampled is 
|/-i(a;',fc')|- Let A be the set of elements w e V with s+^v ^ ^bound. ^-^^^ 

-4C y r\x,t'), 
(x' ,t')eF 

whence the probability we want to estimate can be bounded from below by 

But this quantity equals ^'^'■'^jp'^^^i i-, and by Corollary 15.21 it can be 

bounded from below by 1 — ^^^^^-^ ■ □ 

The next proposition makes precise statements on the periodicity of grid 
elements outside T/^ound^ First, we show that if f{v) — f{v'), then -^{v' — v) 
yields an approximation of some element A S A. Second, we show that for every 
A G A such that v + NX stays within the boundaries of the grid there exists 
a unique v' with f{v) = f{v') and jj{v' — v) ~ X. Finally, we estimate the 
number of collisions for one specific v, i.e., the numbers of v' in the grid such 
that f{v) = fiv'). 

Proposition 5.4. Choose q and N such that 

"^Iw <■") 

q>2nv{K) + -. (IV) 

Assume that s £ S is such that G{s) n H^"^{j^) = 0. Let v £V be such that 
f{v) is equal to the measurement outcome. Assume that s + jjV ^ ffbomd^ 
M^W eV\ f{v') = f{v)} and M =\M\. 

(i) Let v' e M. We have \\[v — v') — -/VA||^ < 1 — for a unique A G A. 

(ii) Let A G A such that v + A^A G [^iqN — 2]". Then, there exists a unique 
v' e M satisfying \\{v - v') - NX\\^ < 1 - i. 

(iii) We have M > Me, where 



det(A) \ qN q J 
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Proof. 

(i) Let ($^^ o 7r)(s + j^v) = {x,t) and ($^^ o 7r)(s + j^v') ^ {x',t'); then 
/(w) = (x, [TVtJ) and /(v') = {x', lNt'\). Note that m M"/A, we have 
d{x)+t ^ s + jfV and d{x')+t' = s + -^w', whence d{x)+t- {d{x')+t') = 

We have f{v) = f{v'). Therefore, x ^ x' and [Nt\ = [Nt'\, which 
yields \\t - t'\\^ < i. By the assumption that G(s) n Hs^'^^ij^) = 0, 
we have that the coefRcients and Nt and Nt' are bounded away from an 
integer by at least jj- (compare Corollary 14. 31 2). whence we actually have 
lit _ t'li < J_ L 

ll"- lloo ^ AT NL- 

Now t-t' = d{x) + t - {d{x') + t') = jj{v - v') in K"/A, whence there 
exists some A G A such that v — v' ^ N{t — t') + NX. 

(ii) Let {^:j^oTr){s+j^v) = {x,t); then /(u) = {x, [Nt\) andd(a;)+t = s+j^v. 
Set u := V + NX; then d(a;) + t — s + j^u as an element of R"/A, whence 
{x,t) = ($^io^)(s + iu). 

There are at most two choices for each coordinate of the vector e G (—1, 1)" 
such that u + e has only integral coefficients. For each coordinate, there 
is exactly one choice if only can be chosen; otherwise, there exists one 
choice a E (—1,0) and the other is 1 + a. Hence, there exists a unique 
e e (-1, 1)" such that [iViJ = [Nt + ej and v' := u + e e Z". 
Clearly, t+j^e>0. First, {x,t + ^e) e Rep^ (I) since s + j^v ^ ^^bound^ 
Second, d{x) + {t + j^e) = s + j^v' implies f{v') = {x, [Nt + e\) = 
(x, [Nt\ ) = f{v). Third, v' e V since u e [1, qN - 2]". 

It remains to show that v' is unique. Assume that v',v" e V satisfy 
f{v') = /(«"), II {v - v') - NXWoo < 1 - i, and II (t; - v") - iVA||oo < 1 - f 
By (i) of this proposition, the condition f{v) = f{v') implies that there 
exists some A' € A with ||(w' — v") — A^A'H^ < 1. By the triangle inequal- 
ity, the two above conditions on the norms imply that [v' — v"[^ < 2. 
Since v' - v" e Z", this yields ||w' - i;"||^ < 1. 

By applying the triangle inequality again and dividing by TV, we conclude 
that IIA'II^ < f . Now, if w' ^ v" , then ||(w'-i;") -iVA'||^ < 1 would 
imply that A' ^ 0. Then, < ||A'||2 < V"-- would hold. But, this would 

violate Ai(A) > which follows from (III). Therefore, we must have 

v' — v" and, thus, v' is unique. 

(iii) Using (ii) , we see that a lower bound Mi on M is given by the cardinality 
of A^An(-v+[l,(?iV-2]"). Let u{NK) be the covering radius of A. Let 
AG A^A. If Ae (-w+[l + i^(A^A),gA/'-2-z^(AfA)]"), then the Voronoiceh 
V7va(A) of A is entirely contained in {—v + [1, qN - 2]"). As the volume 
of Vjva(A) is det(A^A), this yields the lower bound 

[qN ^ 'd - 2v{N K)Y g" / 3n 2nv{K) \ 

det(A^A) - det(A) V 9^ 9 /' 
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which is greater than provided that assumption (III) holds. 



□ 



6 Sampling approximations of vectors of the dual 
lattice A* 



6.1 Sampling in dimension greater than one 

We present here our new method of samphng approximation of the vectors of the 
dual lattice A* , which improves the success probability of the overall algorithm 
by at least the exponential factor 2" 

We determine the probability that the quantum algorithm outputs a w d W 
such that 2kq'^ sufhciently close to some A* e A*. We have to impose certain 
conditions on w to be able to show that the probability of observing a good 
approximation is bounded away from 0. For A* e A*, let 

Observe that for all w G TZx* , we have 

7/1 

A* 



e {[2nq\l\, [2nq\l\ + 1} for fc = 1, . . . , n} . 



w 

2nq 



< 



2y/nq 



The following proposition gives a lower bound on the probability of observing 
elements of TZ\» provided that TZ\> C [0, 2nqKN]^, where k G (0, 1). 

In the remainder of this section, we make the two following assumptions: 



(i) the random shift s e 5 is such that G{s) n H^"'^{j^ 



(ii) all measurement outcomes f{v) are such that s 



N 



and 

^ ^bound 



The relevant results can be stated in a more direct way if we do not have to 
include these two assumptions in the formulation of the propositions. Note 
that we can estimate the probabilities that they are satisfied with the help of 
Corollary 14.31 and Lemma [531 These will be included in the final analysis of the 
algorithm. 

Proposition 6.1. Choose q and N according to (HI) and (IV). Choose k such 
that 

K<^~ — (V) 



Then, for all A* G A* with TZ\ 
Pr(7^A-) = 



E 

wen.: 



8n AnqN 
C [0,2gnKiV]", we have the lower bound 



E 

wen 



A* 



v'eM 



> 



2"-iAf£ 
W 



exp 27ri v' ■ 



2Kn) 



2nqN 



1 

2qN 
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Proof. Let v' be an arbitrary but fixed element of Ai. Proposition [531 (i) shows 
that \\v' — V — NX\\^ < 1 — for some A G A since condition (III) is satisfied. 
Define the error terms ei{v') = v' — v — NX and e2{w) = 2^^~ for w € Ti-x- ■ 
Both error types arise because both the rescaled lattice NK and the dual lattice 
A* are not necessarily integral. 

To be able to show that the probability of observing awe TZx> is bounded 
away from zero by a constant, we have (i) to carry out the Fourier transform 
over a larger window and (ii) to disregard w whose infinity-norm is too large. 
These two measures makes it possible to mitigate the effects of the first and 
second errors, respectively. Unfortunately, both measures are also responsible 
for the exponentially decreasing success probability with increasing dimension 
n. 

To understand the effects of these error terms, we expand the inner product 
as follows 



2nqN 



- {v + NX + e^iv')) 



2nqN ^ ' 2nqN 

= (v + NX)- -^ + ei{v') 



2nqN ' ' 2nqN 
{v + NX)-^ + {v + NX) ■ e2iw) + ^iv') ■ 

• ^ + A • A* + (t; + iVA) • e2{w) + ei{v') ■ 



Since w • ^ is constant and A • A* G Z, we only have to consider the inner 
products ei(u') • 2nqN ^^'^ ~^ ^'^) ■ ^^{w). 

Using the upper bound ||ei(w')||3„ < 1 — the absolute value of the first 
error term is seen to be bounded from above by 

VU Tl 1 

To bound the norm of the second error term, we set 

Pk = 2nqXl. ~ \ 2nqXl\ 

for fc = 1, . . . , n. In words, the values pk correspond to the errors caused by 
rounding down the coefficients of 2nqX* to the nearest integer. Set 

A = {k : Wk ^ \ 2nqX*k\} and {£ : wi> = \ 2nqXl\ + 1}. 



Observe that for k ^ A the fcth coefficient of the error vector 62 (w) — ^ 
)r e A the iih coefficient is equa 



2nqN N 

is equal to and for i d A the ith coefficient is equal to 2nqN ■ 



2n , 
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which is equal to gA^||e2(u>)||i. 

Since i; + iVA S [-1 + ^,qN ~ i]" C {-l,qN)", we have 

keA ^ eeA 

eeA keA 

Therefore, the sum {v + NX) ■ 62 (w) + ei{v') ■ ^^^^ of both error terms ranges 
over an interval of length at most 

Clearly, the identity 




holds for all A C {1, . . . , n}. This simple fact implies the crucial inequality 

vcAn{LA,Lx} < ^■ 

The latter holds because otherwise we would have La> \ and = \—La > \, 
which would lead to the contradiction \ > \- 

In the remainder of the proof, without loss of generality A always denotes a 
subset of {1, ... , n} with La < \- 

Let A be such subset and w the corresponding approximation of 2nqN\* . 
This means that the sum we want to estimate can be written as 

exp(27ri(a + = exp(27ria) ^ exp(27ri^„') 

v' eM v'eM 

with a,l3y' € M and -^.Lphase < Pv' < ^iphasc, where Lphasc = La+^^+^ku. 
Hence, the real part of every term exp(27rz/3i,/) is cos(27r/?i,/) > cos(7rLphasc) since 
-lphasc < 5 due to < i and the special choice of k in (IV). 

This implies that the absolute value of the sum is bounded from below by 
Mcos(7rLphase) for this particular w. Finally, we obtain the desired claim 

A:La<j 

by noting that there are at least 2"~^ subsets A with La < j- □ 
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6.2 Sampling in dimension one 

Remark 6.2 (One-dimensional infrastructures). In the special case of one- 
dimensional infrastructures, it is better to work with the sets 

Tlx* ^{w\w^ [2qX*]} 

for A* G A*. This is because we may then choose a slightly larger k. The upper 
bound can be increased to 

1 1 

K < , 

8 8qN' 

which leads to the higher lower bound on the success probability 

Pr Ux* ) > — cos2 U( + +2Kn 
W V H AqN 

This bound is established by using the same arguments as in the proof of the 
above proposition and by observing that the upper bound on |e2(w)| is reduced 
by a factor of 2. The latter statement is due to the fact that for all A* e A*, we 
have the better approximation 



A* 

2q 



1 



where w G TZx* 



7 Lattice theoretic tools — Part 1 

7.1 Lattices of dimension greater than one 

We now show how to obtain a generating set of a full-rank lattice L in M" by 
first sampling n lattice vectors that are contained in the window [0, &)" and 
then n+1 lattice vectors that are contained in the larger window [0, 6o)"- If we 
chose 6 to be a sufficiently larger than the covering radius of L, then the first n 
lattice vectors generate a full-rank sublattice Lq of L with probability greater or 
equal to j (Subsection 17. 1 . T|) . Once we have such sublattice Lq, the next n + 1 
lattice vectors that we sample from the larger window [0, Bq) generate together 
with the first n vectors the entire lattice L with probability greater or equal to 
C - 1 > 0.184, where C is a certain constant (Subsection 17. 1.31) . 

Our current proof requires that we use two windows. We think that it is 
possible to prove a similar result, while relying only on one window. 

Note that these results will be used with L = A* throughout the rest of the 
paper. 



7.1.1 Probability of generating a full- rank sublattice Lq of L 

Let L be a lattice in E" of full rank. For X E L, let Vl(A) be its (open) Voronoi 
cell. We know that Vl(A) is contained in an open sphere of radius i'{L) centered 
around A, where iy{L) is the covering radius of L, and that the volume of Vl(A) 
is det(i). Moreover, if A 7^ A', 14(A) n T4(A') = 0, and {JxeL^^^LW = 
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Lemma 7.1. I}h>2v{L). Then 

det(L) - ' L . ; I - det(L) 

Proo/. If A e L satisfies Vl(A) n [i^, 6 - ^ 0, then we must liave A e [0, 6)". 
Tfierefore, {b - 2i/)"/ det(L) < |L n [0, 

If A e L n [0,6)", then we must have Vl{\) C [~v,h + iyy\ Therefore, 
|Ln [0,6)"| < (5 + 2j/)". □ 

Lemma 7.2. Let 6 > and H be a k- dimensional hyperplane, 1 < k < n. Then 

n''/'^{b + 2v{L)f{2v{L)Y'-^ 



|Lni7n [0,6)"| < 



det(L) 



Proof. Let X e Lf] H n [0,6)". Then T/l(A) C X := [-v,b + j/)" n (i/ + 
i?^(0)), where B^{0) is a sphere of radius v centered around 0. Therefore, 
\LnHn [0, 6)"| < vol(X)/ det(L), and we have to estimate vol(X). 

Clearly, if volfc(F) denotes the fc-dimensional volume of F Hr\[—h', 6+z^)", 
we have that vol(X) < volfc(y) • (2j/)"~'^. (In fact, we can replace (2;^)"^*^ by 
the volume of an (n — fc)-dimensional sphere of radius v.) 

Let bi,. . . ,bk be an orthonormal basis of H. Set T :— {(xi, . . . , Xk) £ K*^ | 
Y^i=i^ibi e [—t^,b + i^)"}; then vol(r) — volfe(y). A point y £ Y corresponds 
to {{y,bi),...,{y,bk)) G T. Write bi = (6ii,---,6™) and y = (yi,...,2/„) e 
[-ly, b + i/)", set Aij := 6 + if 6ij > and Aij := if bij < 0. Then 

n n n 

-{b + 2,^))< {y, b,) = VjK < 

implying that (y, 6^) ranges over an interval of length ||6i|| j^(6+2i^) < y/n{b+2iy). 
Therefore, 

vol(T) < n''^^{b + 2iy)''. 

□ 

Corollary 7.3. Assume that b > max{8n - 2, n("-i)/22«+i _ 2} • iy{L). Let 

X := (Ln [0,6)")" 
and Y := {{yi,. . . ,?/„) G X | spanR(yi, . . . ,y„) = R"}. 

T6en 

|r|> 0.289|X|>i|X|. 

Note that max{8n - 2, ri("-i)/22"+i - 2} = „(«-i)/22"+i _ 2 unless n < 2, 
in which case the maximum is 8n — 2. 

The proof of this corollary is similar to the proof of the first part of Satz 2.4.23 
in [Sch07] . Note that the proof in |Sch07| is not correct: the quantity in 
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the proof can be > ^; for example, consider r = 3, M = Z^,n>0 arbitrary (in 
|Sch07] . w(M) is what we denote by 6, i.e., S = [0, ni^(M))"), xi = {l,nv{M)- 
1,-1), a;2 = {0,l,ni'{M)—l), X3 — (0, 0, 1); then Mi nS contains three elements, 
while M2 n B contains five elements. The problem is that det(Mi) cannot be 
bounded in terms of z/(M) and det(Mi_i), as it was claimed in that proof. We 
proceed differently by considering the quantity ^^j^^j directly, and our bound 
on the minimal size of B is in fact better than the bound given in jSch07| . 

Also, note that for specific small n, one can obtain better bounds of |y| 
in term of \X\. As the proof will show, a lower bound on \Y\ is given by 
1^1 • nr=i (1 - 2~0- The following table gives explicit values for this factor for 
small values of n, rounded down to a precision of 10"'^: 



n 


2 3 4 5 6 


n:L7(i-2-) 


0.500 0.375 0.328 0.307 0.298 



Proof. Assume that iji, . . . ,yk E X are linearly independent. We have to com- 
pute the probability that yk+i € X is not contained in the hyperplane gen- 
erated by yi,...,yk, which is of dimension k. Write b = ji'iL) with j > 
7j("-i)/22"+i _ 2. By the above lemmata, the probability that yk+i is in a 
/c-dimensional hyperplane is bounded from above by 

■n}'l'^{h + 2vY{2v)'^-^ det(L) 

det(L) {h - 2uY 

n^/^{h + 2vf{2vY-^ _ f^/^{j + 2f2'^-^ 

(6 - 2uY (i - 2)" 

We now prove that Pk <2^^ holds, which is equivalent to 

n^'/'^{i + 2fT < (i-2)". 
Clearly, the left-hand side is maximal for k = n—l, giving the strictest condition 
^(„-i)/22« < 2) 

The right-hand side is bounded from below by (j-|-2)/2 provided that j > 8n — 2 
(this follows from Bernoulli's inequality). Hence, the above condition is satisfied 
for j > ri("-i)/22"+i - 2. 

To conclude the proof, note that the probability we look for is therefore 
bounded from below by 

n— 1 00 ^ 

Y[{1 2-') > - 2-0 > 0.289 > -, 

i=l 4=1 

where the last two inequalities follows by Euler's Pentagon Number Theorem. 

□ 
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7.1.2 Probability of generating finite abelian groups 

Proposition 7.4. Let G be a finite abelian group known to be generated by n 
elements. Then the probability that n + 1 elements drawn uniformly at random 
from G generate G is at least 

oo 

C:=nC(«)"' > 0-434, 

i=2 

where ^ denotes the Riemann zeta function. 

Note that for small n, better lower bounds on the probability can be ob- 
tained. If G can be created by n elements, then a better lower bound is 
nr=i^C(*)^^; this is always larger than C,. The following table gives explicit 
values for this product for small values of n, rounded down to a precision of 
10-3; 



n 


2 3 4 


5 


6 




0.505 0.467 0.450 


0.442 


0.439 



Proof. Let pi, . . . ,pk be the prime divisors of \G\, and let Gi be the p^-Sylow 
subgroup of G. Then G = d ® • • • ® Gfc. Let (51, . . . G G"+i be n + 1 

elements of G; then we can write gi = {gn, ■ . ■ ,gik) € Gi x • • • x Gfc. Now 

G = (.gi, . . ■ ,5n+i) -^=^ Vj : Gj = {gij, . . . ,g„+ij). 

Hence, it suffices to bound the probability for abelian p-groups. 

In the proof of the theorem in (PomOlJ . it is shown that the probability that 
n + 1 elements in an abelian p-group of p-rank r generate the group is 

r n+l 
J|(l_p-((«+l-)+^))> J|(l_p-). 

We know that r < n, since G is generated by n elements. 

Therefore, the probability that n elements of an arbitrary finite abelian 
group G which can be generated by n elements generate the group is at least 

n+l n+l /n+l n —1 

nn(i-^-^)-nna-p-^)-(nc«) 

p 4=2 1=2 p ^i=2 ' 

using the Euler product representation of the Riemann zeta function. Now 

n+l oo 
i=2 i=2 

The product J^^2 C(*) is well-known in group theory |Seq| . □ 
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Note that it is essential for our proof to work that we use n + 1 elements 
instead of n, since if we choose just n elements randomly, the final product would 
include C(l)^^ — and the probability would drop down to zero. However, a 
different approach can result in a non-zero probability for n elements, but this 
probability will not be constant anymore, but depend on n or \G\. For example, 

if Pi, . . . ,pk are distinct primes and G = HiLi — (^/Pi ' ' 'Pk^)^, then G 
can be generated by n elements, but the probability that n random elements 
from G generates G is exactly OiLi nj=i(l ~pi)^ which goes to zero if A; — >• oo 
for exactly the above reasons. Hence, any non-trivial bound of the probability 
must take n or pi, . . . ,pk into account. 

7.1.3 Probability of generating the entire lattice L 

Lemma 7.5 (Sampling almost uniformly at random from L/Lq). Let Lq be an 
arbitrary full-rank sublattice of L. Assume that bo > 2;/(io) ^'^'^ we can sample 
uniformly at random from 

in[o,6o)". 

Denote the sample by A. Then, X + Lq is distributed almost uniformly at ran- 
dom over the quotient group L/Lq. More precisely, the total variation distance 
between the uniform distribution is at most 

^ (6o - 2^(Lo))" 
(6o + 2z.(i))« ■ 

Proof. Let again Vlq (Aq) denote the open Voronoi cell of the lattice Lq centered 
around Ao- First note that Vlo(Ao) = Aq + Vlo{0) and VloI^o) = Aq + Vlo(O). 
Now, as UaoGLo(''^o ~'~ ^^o(0)) — I^" and two translates of Vlo{0) by different 
elements of Lq do not intersect, there exists a set V with Vlq (0) C F C Vlq (0) 
satisfying 

(J (Ao + V)= M" and VAo G Lq \ {0} : (Ao -f F) n 1/ = 0. 

Xq^Lq 

Note that vol(V^) = vo1(Flo(0)) = det(Lo)- 

Every translate of V contains the same number of elements from L, and 
|y nL| equals 

m — det(io)/ det(L); 

this can be shown using asymptotic arguments similarly to the proof that any 
elementary parallelepiped of Lq contains exactly m elements of L (sec e.g. [Bar] ). 

For all X G L OV, the vectors A — Ag form a transversal for L/Lq. 

As C B^(^Lg'f{0), there are at least 

^ (6o - 2z/(Lo))" 
det(Lo) 



28 



translates of V that are contained inside the window [0, bo] 
There are at most 



Up = 



{bo + 2v{L)y 
det(L) 



points of L inside [0, &o]"- 

Let dmax = \up — m£v\ be the maximal possible deviation in the number of 
points of L inside [0, 6o]" from the lower bound m£v- Let d G {0, . . . , dmax} be 
the actual deviation. 

Ideally, we would have the uniform distribution pj = 1/m on L/Lq. But we 
only have the almost uniform distribution which necessarily has the form 



m£i 



for j = 1, . . . , m, where di , . . . , dm are integers with < dj < d and ^ 
d. The total variation distance can be bounded as follows 



. m 



\Pj-Pj\ 



-T 
2 ^ 



—y 

2m ^ 



d — mdi 



< 



— T 

2m ^-^ mlv 

d 



m£v + d, 
d + mdi 



< 



m£v + d 

dm a V 



m£ 



< 



m£x 



We have 



V 



m£i 



Up 



m£\ 



m£i 



m£v 

Up 



(bo - 2u{Lo)Y 
{bo + 2v{L)Y 



Note that so far, we have considered [0,6o]" instead of [0,6o)". As L is 
discrete, there exists some 2u[Lo) < b'g < bo with [0, 5o]"ni = [0, 60)" • Applying 
the result above to [0, feg]" and then using that a; 1— )■ 1 — 2iy(Lo)) 
yields the stated claim for [0,6o)"- 



(x+2iy(L))" 



IS increasing 



□ 



Proposition 7.6. Assume that b > max{8n - 2, n("~^)/^2"+^ - 2} • i^{L) and 
bo > 8n'^{n + l)b. Let Y be as in Corollary \7.3\ and {yi, . . . ,?/„) G Y. Let 



, n+l 



Xo := (Ln[0,6or) 

z = {(zi, . . . , z„_|_i) e X| 



Tl+l 





spa%{2/i: ■■■,?/«, ^1, •■• , Zn+i} = L}. 
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Then 

\Z\> (C- J) |Xo| >0.184|Xo|. 

Proof. Let Lq be the full-rank sublattice generated by yi, . . . , y„. We have the 
following simple bound on the covering radius 

IT \ a/"- ^ /-r \ \Ai II II \Ai /—I nb 

v[Lq) < — A„(Lo) < — . max |ly,|loo < -tt^J™ = — 

Z L i— l,...,n Z Z 

since the j/^ are linearly independent and the longest vector in [0,6)" is shorter 
than Y^6. 

Let Zi be uniformly distributed in L H [0,&o)"- Then, Lemma 17.51 implies 
that Zi + Lq (for i — 7i-|-l,...,2n-|-l) are distributed almost uniformly at 
random from Lj Lq. The total variation distance from the uniform distribution 
is bounded from above as follows 



^ (bo - 2v{L^)Y ^ ^ {bo-2i^{Lo)) 



(feo + 2Ki))" - (60 + 2i.(Lo))" 



< 1 - 1 -n 



bo + 2v{Lo) 
Av{Lo) 



bo + 2v{Lo) 

-.■21 



^ Anv{LQ) ^ 2n^b ^ 1 



bo - bo ~ 4(n + 1) ■ 

Consider now the uniform probability distribution on the (n + l)-fold direct 
product of L/Lo and the probability distribution that arises from sampling 
almost uniformly at random on each of the components as above. Then the 
total variation between these two distributions is bound from above by (n + 
1) • ^n+i-^ ~ \- "^^^^ is because total variation distance is additive under 
composition provided that the components are independent (see e.g. |MG02| 
Subsection 1.3 "Statistical distance" in Chapter 7] for more information total 
variation distance). 

Clearly, the abelian group L/ Lq can be generated with only n generators. 
Hence, Proposition 17.41 implies that n + \ samples (provided that they are dis- 
tributed uniformly at random over the group) form a generating set with prob- 
ability greater or equal to C,. Due to the deviation from the uniform distribution 
on the [n + l)-fold direct product of L/ Lo this probability may decrease. How- 
ever it is at least C — 1/4 since the total variation distance is at most 1/4. The 
claim follows now by translating the lower bound on the probability to a lower 
bound on the fraction of elements with the desired property. □ 

Remark 7.7. The purpose of this proposition is similar to that of Satz 2.4.23 
in |Sch07j . We emphasize that our bound on the success probability is constant, 
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whereas the bound presented in Satz 2.4.23 decreases exponentially fast with the 
dimension n. The first part of proof of Satz 2.4.23 (concerning the generation 
of a full-rank sublattice) is unfortunately not correct, but can be corrected as 
we have shown in our proof of Corollary 17.31 The idea behind the second part 
is completely different from our proof and cannot be used to prove a constant 
success probability. Perhaps it could be used to prove that only 2n random 
elements (as opposed to 2n + 1 elements) are needed to guarantee a non-zero 
success probability. 

Note that in |Hal05) , neither a bound is given on how many lattice elements 
have to be sampled nor the probability is estimated with which the lattice is 
generated. 

Lemma 7.8. Assume 

b > max{8n - 2, n("-i)/22"+i - 2} • — ^ and 
- ^ ' ^ 2Ai(A) 

2 



bo > 8n\n + l)b. 



Define 



X (A* n [0,&)")" 

Y := {(A^, ...,K)eX\ spanR(At , . . . , A^) = R"}. 

For each (A^, . . . , A* ) £ Y , define 

Xo:= (A* n [0,60)")"+' 
Z := {(A*^;^, . . . , X2n+i) £ ^0 I span^(AJ, . . . , A* , A*_|_i, . . . , A2„+i) = L}. 

Then 

\Y\> 0.289 \X\>^\X\ and |Z| > (C - i) |Xo| > 0.184 |Xo| 

Proof. The first lower bound follows from Corollary 17.31 and the inequality 
j^(A*) < 2\"{A) second from Proposition (TTBl D 

By combining the more precise bounds listed below Corollarv l7.3l and Propo- 
sition 17.61 respectively, one obtains the following more precise bounds which 
depend on n: 

n— 1 s 

m> 1^1 -11(1 -2-) \z\>(Y[a^)-'^j)-\xo\- (*) 



7.2 Lattices of dimension one 

We now discuss the special case n — 1. For this case, 2n instead of 2n -I- 1 
vectors from one window suffice to generate the lattice with a significantly higher 
probability. 
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Lemma 7.9. Let L = be a one- dimensional lattice, where v G IR>o- Assume 
that b > 3v + 1. Then, two samples chosen uniformly at random in L D [0,b) 
generate L with probability greater than ^^^l^j > ^. Note that det(L) — v = 
Xi{L), v{L) = idet(L) and that L* = iz!" 

Proof. Clearly, the number of lattice elements in [0, 6—1] is 1 + [^^J , where 1 
accounts for the zero vector. Hence, the probability that a random element of 
L n [0, 6 — 1] is non-zero is 

L u J -I 



which greater or equal to | for h > 3w + 1. Further, note that this condition 
ensures that there are at least 3 non-zero elements. Assume that we obtained 
two non-zero elements; these have the form kv and ^v, where fc,£ are chosen 
uniformly at random in {1, ... , m} with m > 3. It is well-known that gcd(fc, t.) = 
1 with probability greater than This proves the bound -^{jf > \- 

8 Obtaining an approximate generating set of 
the dual lattice A* 

8.1 Lattices of dimension greater than one 

The current result in Proposition 17.61 forces us to sample lattice vectors from 
windows of two different sizes. Recall that the parameter N directly determines 
the size of the portion of the dual lattice A* from which we can sample. We 
refer to this parameter as N in Subsection 18.1.11 and as Nq in Subsection 18.1.21 
The other parameters q and k, can be chosen to be the same. 

8.1.1 Generating a full-rank sublattice of the dual lattice 
Lemma 8.1. Choose q, N, and k according to (III)-(V) and 

N > i (ma.^iSn - 2, ..."-.'^ ■ 2"« - 2} ■ ^ + ji-) , (VI) 

1 / 1 \ 

^ > - + TTTT • (VII) 



K\2q Ai(A) 

Run the quantum algorithm n times and denote the samples by Wi, . . . ,w„ 
Then, the probability that there exists A^, . . . , A* € A* H [0, k,N — 5^)" with 

(i) the lattice vectors A^, . . . , A* span a full-rank sublattice of A* and 

(ii) the samples Wi approximate these lattice vectors A* so that 



A* 

2^ ^ ' 



< r=r- for i — 1, . 

2 "^Vnq 
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is greater or equal to 



'MfLfC 



> 



W 

1 /C\'^ / K 

4 V2/ \n 

1 / C \ " / K 

4 V2/ \n 



2q Ai(A) J kN 



3n 2iw{K) 
qN ~q 



Here c := cos^(7r(i+ 2^ + 2Krt)) > and Lg is a lower bound on the cardinality 

of A* n [0, kN ~ 2n~)"- '^^^ approximation indicates that Lg and are close 
to 1 provided that %, N and q are sufficiently large. 

Here, the factor j can be replaced with 0.289 or n"=ri^(l ~ (compare 
Equation Q on page EH) . 

Proof Observe that Ux- C [0,2nqKiV]" for all A* G A* n [0,kN - Set 
b := kN - For all A* e A* n [0, b), Proposition 16.11 yields the lower bound 



Pr(w, €nx')> 



'Mic 



W 



Clearly, if Wi G TZx- then 



We obtain the lower bound 



2nq 



< . 

2 2y/nq 



where 



(At,...,A*)e(A*)" 



Li = (KiV)"det(A) 



2"-iM^L^c 
W 



2q Ai(A) J kN_ 

is a lower bound on on the cardinality of A* n [0, &)". We derive this particular 
lower bound by applying the argument based on Voronoi cells and 



{kN 



1 

2nq 



2l/(A*))" 



det(A*) 



= (K7V)"det(A) 

> (KiV)" det(A) 

> (kTV)" det(A) 



\2nq 
1 



2q 
1 



f 2iy(A* 
2niy(A* 



1 
1 



2(7 Ai(A) J kN 



1 



We used the Bernoulli inequality and the inequality Ai(A)i^(A*) < ^n. Observe 
that (VII) implies that is nontrivial. 
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Finally, (VI) implies that b is greater than the lower bound in Lemma 17.81 
This shows that at least a fourth of the tuples (AJ,...,A*) with G A* n 
[0,6)" for i — l,...,n are such that the lattice vectors generate a full-rank 
sublattice. □ 



8.1.2 Generating the entire dual lattice 



Now we combine Proposition 18. 1 1 and Proposition 17.61 We use the same param- 
eters q and k as in the previous section. We only have to use a larger value for 
A'', which guarantees that we sample from a larger portion of the dual lattice 
A* to satisfy the premises of Proposition 17.61 We denote this larger value by 
Nq. Note that with this choice the conditions (III) and (IV) on q, Nq, and k 
are automatically satisfied. This is because it becomes easier to satisfy these 
conditions when A^ is made larger. 



Lemma 8.2. Let q, N, and k be as in Lemma \8.1\ Choose Nq according to 

No>8n^{n+l)N. (VIII) 

Use the parameters q, Nq, and k for the quantum algorithm. Run it n + I 
times and denote the samples by Wn+i, ■ ■ ■ , W2n+i- Assume that A^, . . . , A* from 
Lemma \8.1\ generate a full-rank sublattice of A* . Then, the probability that there 
G A*n[0,«Afo- 2^-)" with 



(i) the lattice vectors Xn+ii ■ • ■ ; ^2n+i together with the lattice vectors AJ, . . . , A* 
generate the entire dual lattice A* and 



(ii) the samples Wn+i approximate these lattice vectors A* 



Wn+i 



2nq 



n-\-i 



< 



2y/nq 



for i = 1, 



so that 
n + 1 



is greater or equal to 



)n— 1 



MtLt Co 



n+l 



W 

nJ 



3n 

gAo 



n+l 



1 



C-7 U 



Ai(A); kNo 



1 



n+l 



Here, the factor C~ j can be replaced with Y[7=2 C(*)~^ ~ j (compare Equa- 
tion on page [31]) . 

The proof of this lemma is basically the same as that of Lemma [01 Here Lg 
is the lower bound on A* n [0, 6o)" where bo := kNq — the lower bound 
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on M in ProDOsition l5.4l fiii). and W = (27iqiVo)", and cq = cos^(7r(i + 2^^^^^ + 
2k7i)) . The cosine factor cq is bounded from below hy c~ cos^ (7r(|; + 2^+2Kn)) 
since Nq > N. The approximation w indicates that Lg and Af^ are close to 1 
provided that q and A'o are sufficiently large. 

There is one point that should be explained in more detail. It remains to 
verify that 60 > 8n{n^ + l)b so that we can apply Lemma [7.81 The condition 
on the relation of the window sizes is equivalent to 

This inequality is clearly satisfied due to (VIII). 



8.1.3 Bounding the probability 

We replace condition (VII) by the stricter condition 



iV>i 

K 

This, together with (VIII), implies 
,2 X 1 



1 



1 
2^ 



Ai(A) J kN 



1 - 



MA) 
1 

Yq 



(VIIl) 



Ai(A); kNo 



1 



n+l 



> 



22- 



4n(n + 1);/(A). 



Moreover, we replace condition (IV) by the stricter condition 

671^ 

This implies together with (VIII) 



(IVi 



1 



1 



3n 2nv{A) 
qNo q 



n+l 



> 



22- 



From the previous two subsections, under the assumption that (I)-(VIII) hold, 
we get that the probability that 2rt + 1 samples from the algorithm generate the 
whole lattice A* is at least 



c 



1 - 



1 - 



3n 2nu{K)' 

qN ~q _ 

3n 2nv{K) 

qNo q 



2n''+n 



1 - 



1 - 



1 

Yq 



1 

Yq 

^2 



Ai(A); kNo 



Ai(A) 
1 



1 

Yn 

n+l 



n+l 



where c — cos2(7r(i + + 2k7i)). Using the stricter conditions (VIIi) and 
(IVi) from above, this can be bounded from below by 



1 

Y 



c 



C\ 2n+l 
2 



2n-'+n I 

^Y 



Q\2n+1 /^\2n"'+n 
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Here, the factor ^(C ^ can be increased to 0.053176 or (nr=2 C(*) ^ " \) ' 
YYi=ii^ — 2~*) (compare Equation ^ on page l3T|). The latter would improve 
the lower bound on the probability that 2n + 1 samples from the algorithm 
generate the whole lattice A* to 



1 /"+^ 



2n+l 



8.2 Dimension one 



Finally, we want to investigate the case n = 1 more closely. In this case, we 
have only one window and we sample only two vectors. If 6 > 3det(L) + 1, 
Lemma [7?ni yields that two randomly sampled vectors from A* n [0, h) generate 
A* is larger than i. We proceed similarly to the proof of Proposition 18.11 For 
h = kN — ^ to hold in conjunction with & > 3 det{L) + 1 = dct{A) + !> we must 
satisfy the new condition 



1 / 3 
iV > -' 



1 



K Vdet(A) 2q 



(VI2 



Assume that the assumptions (I)-(V) and (VI2) are satisfied. Let wi, W2 be the 
two samples output by our quantum algorithm. Then, the probability that all 
sampled Wi correspond to lattice vectors A* in i[o_f,) for i = 1,2 and that they 
generate L is at least 



> 



1 rmLic 
3 \ w 
1 



12 



2 2 

-K C 



1 - 



1 



2q det(A) J kN 



1 - 



det(A) 



1 2 



qN 



q 



where is the lower bound on i[o.b) in Proposition I8.1[ c the cosine-factor 
in Proposition 18.11 the lower bound on M in Proposition 15.41 (iii) , and 
W = 2qN. 

Let us introduce the two new assumptions 



and 



g> ^+4dct(A) 

1 [2 
N>-[- 

K \q 



det(A) J 



(IV2) 
(VII2) 



these imply (IV), and allow us to bound 

2 



1 



1 



1 



2qKN kN det{A) 



> - and 
- 2 



1 - 



qN 



dct(A) y ^ 1 
q J - 2- 



This yields the lower bound -^n^<? on the success probability. 
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9 Lattice theoretic tools — Part 2 



First, we consider the problem to obtain an approximate basis of a lattice L 
from an approximate generating set of L. Second, we consider the problem to 
obtain an approximate basis of the dual lattice L* from an approximate basis 
of L. 

9.1 Computing an approximate basis of L from an approx- 
imate generating set of L 

We address the problem of computing an approximate basis from an approxi- 
mate generating set. In this subsection, we present Buchmann's and Kessler's 
approach in [BK93) . Our exposition simplifies and improves their results. Our 
more general analysis makes it possible to quantify the approximation quality 
when different lattice approximation algorithms can be used. The analysis in 
|BK9 3' is written only for the LLL algorithm. In the context of our quantum al- 
gorithm it is more advantageous to use algorithms to compute Korkine-Zolotarev 
reduced bases. In our analysis, the approximation quality is entirely expressed 
in terms of the lattice L. In contrast, in jBK93] the approximation quality 
depends on the characteristics of some sublattice of L. 

Remark 9.1. An approach based on |BK93| was already suggested in |Sch07j . 
However, our requirements on the precision of the approximation can be stated 
in much simpler terms than those made in [SchQ7] . For instance, an important 
simplification is that we do not have to consider any sublattice (compare to 
[SchOZl Satz 2 .4.24]) 

Note that |Hal05] suggested to use the precursor [BP89) for computing an 
approximate basis. The problem is that this earlier work does not make any 
statements on the size of the entries of a certain unimodular transformation 
matrix. Therefore, the results of this work cannot be directly applied because 
it not possible to quantify the quality of the resulting approximate basis. The 
major motivation for the follow-up work [BK93j to |BP89) was to bound the 
entries of the relevant transformation matrix (see |BK93I Introduction]). 

Observe that both |BK93| and |BP89| rely on the LLL basis reduction al- 
gorithm to compute the transformation matrix. However, for the quantum 
algorithm it is significantly better to compute Korkine-Zolotarev-reduced bases 
in the classical post-processing step. This makes it possible to obtain a trans- 
formation matrix with exponentially smaller entries, which in turn yields an 
exponentially better approximation of the basis of the period lattice of the in- 
frastructure. If the LLL algorithm is used, then it is necessary to evaluate the 
function / over an exponentially wider window to achieve the same quality of 
approximation of the period lattice. Note that the cost of computing Korkine- 
Zolotarev bases in the classical post-processing step is negligible compared to 
the time complexity of the quantum part. 
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Let i be a lattice in M" of rank r < n. 

Definition 9.2 (Approximate basis). We call b'^, . . . a d-approximate basis 
of L if there exists a basis bi, . . . , b^ of L with 

l|b--bi ||2<^ 

fori = l,...,r. 

Definition 9.3 (Approximate generating set). We call a'^, . . . , an e-approx- 
imate generating set of L if there exists a generating set ai, ... ,ak of L with 



|a^ -aj||2 <e (1) 



for j = l,...,k. 
We assume 

M < Ai(L) 

a > max lllajlla}. 

] = l,...,k 

We need these bounds to derive the method for computing an approximate basis 
from an e-approximate generating set and to bound its corresponding S in terms 
of £, /X, a, n, and k. 

Remark 9.4. The approximate generating set arises in the following way in our 
quantum algorithm. Wc; are givciii an algorithm that returns rational vectors 
of the special form [taj] where the vectors ai, . . . , a^ generate the lattice. The 
parameter t specifies the quality of the approximation and is under our control. 
The problem is to find a unimodular matrix T € •^kxr ^Yia,t transforms the 
approximate generating set |[taj] into an approximate basis of L and to 
determine its corresponding 6. 

We call a vector z = (zi, . . . , 2/j) e Z'^ a (nontrivial) relation for the gener- 
ating set if z 7^ and 

J2zj^3=0, (2) 

where denotes the (column) zero vector in either Z*^ or Z". 

Lemma 9.5 (Sufficient and necessary condition for relations). Let z e Z*^ and 
assume that 

2e||z||i<;u. (3) 
Then z is a relation for the generating set if and only if 

k II 

<£||z||i. (4) 



2 
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Proof. Let z be an arbitrary relation. The condition in ^ follows then from 
O and © 



k 

E 



Zj a J 



< 



El 



aj-aj ||2 



<e z 



(5) 



Now assume that (|4]) holds for some (nonzero) vector z e Z*^ . Using ([T]) and ([3]) 
we obtain 



E- 



< 



k 

E^^(^ 



E- 



< 2e|| z||i < ^. 



Since ^ < Ai(L) we must have that -^i 



0. 



It is convenient to define the scaled approximation vectors 



□ 



a j = s a J , 

where s is a positive parameter that we fix later. Clearly, || kj — sa^ II2 < se. 

Definition 9.6 (Approximation lattice). For j = l,...,k, define the vectors 
kj e Z*^ e M" by 

aj — Bj © aj , 

where ej is the j th standard basis vector of l)^ . The vectors ki . . . ,kk are 
linearly independent and form a basis of the approximation lattice 

k 



Z = 0Za, 



The following lemma establishes that short lattice vectors of L give rise to 
relations for the generating set of L. For the sake of generality we introduce 
the parameter / that characterizes the approximation quality of basis reduction 
algorithms. We have / = 2^'^"^^/^ and / = -i^SI for the algorithms that 
compute LLL-reduced and Korkine-Zolotarev reduced bases. 

Lemma 9.7 (Sufficient condition for relations). Let A > 1. Assume that the 
approximation error e is bounded from above by 



£ < 



2fXVk 

and the scaling factor s is chosen so that 

2/A 



s > 



(6) 
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Let z = {zi, . . . ,Zk) & '^'^ be an arbitrary vector and 

k 

X = ^ Zj a j . 

i=i 

the corresponding lattice vector of L. If 

l|x||2</A 

then z is a relation for the generating set a.i, ... ,a.k. 

Proof. We prove the lemma by showing that the contraposition of the statement 
holds. Assume that z is not a relation. We have to show that corresponding 
vector ic is strictly longer than /A. 

We write x = z ® x with x = Y^'j^i Zj a.j. Then we have 



2^11^112^11^ Il2 • 

If II z II 2 > /A holds then we are done. Otherwise we have 

k 



X 2 



> 



X 2 



E 



> S 



E 



E-.( 



s a. 



> s/i — s II z 111 e > s/(x — s II z II2 V^e 

> s jjL — s fXVke = s ^/i — fXVke^ 



>s^>fX. 
- 2 



□ 



Lemma 9.8 (Linearly independent relations of bounded norm). There exist 
k — r linearly independent relations mi , . . . , m^-^ of the generating set with 



< 



a' 



det(L) ■ 

Proof. We construct an isometric embedding of L into W^. Let bi, . . . , be 

a basis of L and bj , . . . , b* the corresponding orthonormal vectors obtained by 
the Gram-Schmidt process. Let Wi, . . . , be an arbitrary orthonormal basis 
of M''. The mapping <& defined by 



$(b*) = Wi 
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for i = 1, . . . , r is an isomctry between L and L* := ^{L) and we have dct(L) = 
det(iy*). We set af := <&(ai). We assume w.l.o.g. that the first r vectors of the 
generating set ai, . . . ,a/s are linearly independent. Define the matrices 

A = (af |...|a?|...|a*) 
C = (af|...|a?) 

The submatrix C G W^^'^ of A G MJ'^'^ is nonsingular, which follows from the 
assumption that the first r generators of L are linearly independent. Let vj e 
be the solutions of the linear system 

Cvj = a*+j 

for J = 1, . . . , fc — r. Define the (column) vectors 

det(C) . 



det(L*) 



(-l)e, 



where ej are the standard basis vectors of R'^"'' for j = 1, . . . , fc — r. Due to 
construction they are linearly independent and form a basis of the kernel of A 
(which has dimension k — r) since 

det(C) ,^ , det(C) , , ^ 

^ = d^ - ^^^^^ = d^ ^^^^^ - ^^^^^ = ° 



for j = 1, . . . , fc — r. Using Cramer's rule, we can express the coefficients of 
det(af I • • • I a* 1 I af+^- 1 af.^^ | • • • | a*) 



the vector Vj as 



Vi-i = 



Note that the values 



det(C) 



det(C) det(af | • • • | ^ti I I af+i | • • • | a?) 



det(L*) '-^ det(L*) 

are always either or the indices of full-rank sublattices of L*. The two mutually 
exclusive cases are: (i) af^_^- is contained in the span of af , . . . , af_j, a^j^, . . . , af , 
implying that the determinant is and (ii) af , . . . , a*_]^, af^^-, a*|_]^, . . . , af , im- 
plying that they generate a full-rank sublattice. Therefore, all components of 
vdj are integers. This concludes the proof that mi, . . . , mfc_r are relations for 
the generating set. 

The upper bound on the || • ||oo-norm of these relations follows directly from 
Minkowski's inequality. We can bound the absolute value of the determinants 
by the product of the norms of the column vectors, which can be at most . □ 

Lemma 9.9 (Upper bounds on minima of the approximate lattice). Assume 
we set 
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and choose the scaling factor s so that 



s < 



4/A 



The first {k — r) minima are bounded from above by 

\j{L) < A 



for j — 1, . . . , k ~ r. 

The last r minima are bounded from above 



6.5/Aa 



for j — k ~ r + I, 



(7) 



Proof. Let nij be the {k — r) linearly independent relations constructed in the 
proof of Lemma 19.81 We define the vectors 



ma a; = m 



Obviously, the vectors Xj are linearly independent. Since m.j is a relation we 
may apply the inequality in ([S]) from the first part of the proof of Lemma [ 
We obtain 



XjIIs < ||mj||2 



= II m,, ||2 + s 



E^ 



< II riij II2 + se II vcij 111 < ^/k\\ nij \\oo +sek\\ nij ||oc 
1 + se\/k\ Vk II m,- ||oo < I 1 + -7=Vfc I Vk \\ m 



^/k 



< sVk- 



< A. 



det(L) 

The upper bound on the last minima follows from 



XjiL) < max || II2 < s^{a + e)'^ + 1 . 

i—l,...,k 

The upper bound on the square root expression holds since the tangent to the 
square root at s^(Q; + e)^ > 1 has slope greater or equal to 1/2 so a displacement 
by 1 can increase the value by at most 1/2 and se < 2/\/k < 1. This yields 
observations yield the upper bound 4/Aa//i + 2.5, which bounded from above 
by 6.5/Aa//j,. □ 

To simplify notation in the following we set 



= Vs2(a + e)2 + 1. 
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We apply the basis reduction algorithm to the lattice basis ai , . . . , and 
obtain the reduced basis bi,...,bfe. Denote by M = (m^) S jk'>^k ^j^g 
responding (unimodular) transformation matrix. We write the reduced basis 
vectors as 

= (mj,bj) 

where nij = (mi^, . . . , m/cj) G Z*^ are the column vectors of M and 

fc 

The following lemma shows we can directly obtain a basis of L with the help 
of the transformation matrix M. 

Lemma 9.10 (Basis and approximate bases for V). Set 

Assume that the approximation error is bounded from above by 

^ ~ 2fXVk 

and the scaling factor is bounded from below and above by 

2/A 4/A 
< s < . 

Let M be the transformation matrix returned by the basis reduction algorithm 
when applied to the basis ai, . . . , a/j of the approximation lattice L. 
Define the vectors 



bj — ^ ^ n^i,k—r+j 
i=l 

k 



i=l 



for j = 1, . . . , r. Then we have 

• The vectors bi, . . . , b^. form a basis of L and their norms are bounded from 
above by 

II 2 < fVk aa. 

• The vectors b'^, . . . , b^ form a S-approximate basis of L with 

6 < fVkae . 
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Proof. Wc know that the reduced basis vectors hj satisfy 

||b,||2</AKi). 

Using the upper bounds on the first (fc — r) minima in Lemma 19.91 we obtain 

l|b,||2</A 

for £ — 1, . . . , k — r. These vectors are sufficiently short so that Lemma 19.71 
applies. We conclude that mi,...,mfc_r are relations for the generating set 
ai, . . . ,afc of L. 

Let A = (ai I • • • I afe) e Z"^*^. Then we have 




AM = 0|---|0|bi |---|b, 



nxk 



since the first fc — r columns of M are relations of the generating set. Since 
M is unimodular the lattice generated by bi, . . . ,br is equal to L and, thus, 
bi, . . . , br form a basis. 

We first determine an upper bound on the norm of the last r column vectors 
of M. For j — 1, . . . , r, we have 

II nik-r+j h < II hj II2 < fXk^r+j{L) < fa . 

We have 

||bj||2 < \\mk-r+j\\ia < Vkfaa 
II b^- - II2 < \\ irik-r+j \\i £< Vkfae 

for j — 1, . . . ,r. □ 

We assume in the following the lattice L has full rank, i.e., r = n. This situ- 
ation occurs precisely in our quantum algorithm. To further simplify notation, 
we also set 

9 := fVka. 

9.2 Computing an approximate basis of the dual lattice 
L* from an approximate basis of L 

Lemma 9.11. Let h'l, . . . ,b^ be a S-approximate basis of L with S < ge as in 
the lemma above. Then we can obtain a "/-approximate basis of the dual lattice 
L* with 

2„5/2 2n-lQ,2(n-l) 
T < £ 

^ - det(i)2 

provided that 

^ det(i) 
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Proof. Let B = (bi | • • • | b„) and B' — {h'l | • • • | b^) be the matrices whose 
columns form the basis of L and the approximate basis of L, respectively. We 
compute the inverses of these matrices to obtain the basis and the approximate 
basis of the dual lattice L* . 

Denote the perturbation hy E ^ B' - B. We use [SS90] Theorem 2.5] to 
estimate the sensitivity of the inverse under perturbation. If < 1, 

then B + E is nonsingular and 

\\B'-' - B-'\\, = 11(5 + E)-' -B-%<- "^"^ 



\\B-mi\\E\u 

We may apply the bound from this theorem because the matrix norm on R"^" 
defined by ||X||i = maxi<j<„ ^"^^ Xij is multiplicative. 

Let Cij denote the entries of B~^. Using Cramer's rule and Hadamard's 
inequality, we have 



det(bi , . . . , bi_i , , bi+i, . . . , b„) 



det(B) 



^ n.^j-||b.||2 ^ (gay 



det(i) ~ det(L) 



This implies 



1,, n(qaY 
1 < 



det(L) ■ 

Note that the Euclidean norm of the column vectors of E is bounded by 6 from 
above since these vectors are equal to b^ — b^. This implies H-EHi < y/nS < 
^/nge. 

Assume that 

det(£) 

which ensures that ||_B~-'^||i||_E||i < 1/2. Then we have 

This implies that the column vectors of B'^^ form a 7- approximate basis of L* 
with 

2^5/2 2„-1^2(„-l) 

□ 

Corollary 9.12. Recall that the quantum algorithm returns a generating set 
with e < l/(4\/n(j). This and the above lemma imply that if 

o > max < — — , — ■ — > (11) 

^- \2det(L)' 2det(L)2 7/ ^ ' 

then we obtain a j- approximate basis of the dual lattice L* , where 
19 5fc/2Q:"+i 

det(L)Ai(£) '^"'^ "^,=T^^"^^"^>- 
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Proof. This follows with g = Vkf& < Vk6.5pXa/n and A = SVka""- / det{L) . 

□ 



10 Final analysis of the quantum algorithm 

By combining all material from the previous sections, we obtain the following 
result: 

Theorem 10.1. Assume that Al)-A3) hold with C < 1 and A>\. Further, 
assume that N, q, Nq, L G N are chosen such that 

N > max<^ 32, — ^ 



3C" ' 32 Ai(A)' 

9n2 9 



max 



{8n-2,n("-i)/22"+i-2}- 



2Ai(A) 64 
Nq > 8n'^{n + l)N, 

g> max(32, 9A, gg! + 2n("+ ^^(n + 1) , 
' TV ^ ^Ai(A)"-i 

19.5"n"+3/2(l + 1^ + ;ir)"iVo"'+^""^ det(A)2»+i 



and L > 



2 • 9" +2"-iAi(A)"'-" 

19.52"n2"+3/2(l + A. + J_)2n-1^2«^+3n-3 det(A)4" 
7 • 39 • 92»2+3n-3^^(A)2"'-3»-l 

4nD{q + A + C + 2)" 



Set K := and assume that s E S is chosen uniformly at random. Then 
the probability that the algorithm described in Section \3[ applied n times with 
the parameters N, q, k, and n + 1 times with the parameters Nq, q, k, returns an 
j^^- approximate generating set of A* is at least 

.17417\4"+2 /n+1 



COs(-;,6864; ^nC«-^-i) 11(1-2-') 



^1=2 

^ 6.198327-1.54587777" 

— 2^Q6n+6g2"^7^4n^+2n 



If such an approximate generating set of A* is obtained, the algorithm described 
in Section\^ computes a 'y- approximate basis of A. 

We will prove this theorem further down (on page I48p . In case n = 1 , we 
can improve the bound from Theorem 1 1 . 1 1 significantly : 

Proposition 10.2. Assume that A C M, i.e., that n = 1. Further, assume that 
Al)-A3) hold with C < 1 and A>1, and assume that N,q,L & N are chosen 
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such that 

, oo 4 32D 36 9 27 „ 9 
N > max-^ 32 



and L > 



A' 3C ' det(A) 16' det(A) 16 
' N 

AD[q + A + C + 2 



q> niax<i32, 9A, — +4det(A), i^iV^ jet(A)3 • max (l, ^SliAll 
' N 9^ I 7 J 



C 

Set K := i and assume that s ^ S is chosen uniformly at random. Then the 
probability that the algorithm described in Section\^ applied two times with the 
parameters N,q,K, returns an j^- approximate generating set of A* is at least 

cos"(^iil) > 7.163 -10-3 



7776 



If such an approximate generating set of A* is obtained, the algorithm described 
in Section\^ computes a ^-approximate basis of A. 

We will also prove this proposition further down (on page 110.21) . 

One important remark is that it is not possible to determine whether our 
algorithm actually returns the lattice A or a proper sublattice of A. This is 
a problem of all such quantum algorithms, in particular the ones by Hall- 
GREN and Schmidt and Vollmer. In case the infrastructure is obtained from 
a global field, checking whether the lattice computed by our algorithm is a 
sublattice of A can be done efficiently: one simply has to check whether the 
computed basis consists of units of the global field. However, even when one 
assumes that the Generalized Riemann Hypothesis holds, there is no efficient 
polynomial-time algorithm known which certifies that a given sublattice of A 
equals A. But we assume that the case that a basis returned by our algorithm 
(and any of the other algorithms, for that it matters) is a proper sublattice of 
A is somewhat pathological. 

Note that the lower bound on the success probability is very small even for 
moderate n. More precisely, for n = 1, . . . , 10, the inverses of the probabilities, 
i.e., the expected number of iterations which have to be run, are bounded from 
above by 

1.40-10®, 1.27-10^", 4.67-10^^, 1.74•10^°^ 6.47-10^^®, 
1.39-10^^°, 7.12•10^^^ 2.92•10^^^ 2.72 • 10^^^ 1.43-10'^^^. 

(Note that for n = 1, we used the algorithm described in Proposition 110.2) the 
bound given by the formula in Theorem llO.ll is 1.26-10^^.) The success probabil- 
ity for the algorithm in jSch07| is bounded from below by 2"^"" -i2n-2^-4n ^ 
as stated there in Satz 6.2.6. Hence, the expected number of iterations for 
n = 1, . . . , 10 for this algorithm are bounded by 

1.72-10^°, 5.32•10^^ 6.32•10*^^ 8.18•10^^^ 1.19-10^^^, 
1.18 -10^^^ 3.45•10^*^^ 1.02 -10^^^ 9.05 • 10*^^ 6.10 -lO^^^®. 
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Note that in ISV05| the success probabihty is given as 2"*^" " for some k G N 
and e > without making these exphcitly; the behavior for rt — > cxd will be 
similar to the analysis in |Sch07j . Finally, in |Hal05j . no success probability 
is given at all. The current analyses can only prove expected running times 
which are impractical. Our analysis improves on the previous ones, though not 
substantially. We believe that it can be further optimized. 

Assuming that n is constant, we obtain the following complexity theoretic 
result, which extends the results by Hallgren and Schmidt and Vollmer 
to a larger class of infrastructures: 

Corollary 10.3. Assume that n = 0(1) and that X is an infrastructure satis- 
fying the assumptions Al)-A3). We obtain a quantum algorithm to compute 
A with a success probability bounded away from by a constant which runs in 
time polynomial in logdet(A), log x^(K) ' ^*^S 7' l^S^; log ^ ^'^'^ logZ?. □ 

Note that logL, logA^, logA'o and logq can all be chosen to be linear in 
log det ( A) , log jytaJ . log :^ , log A, log ^ and log D . 

Finally, we want to conclude with the proofs of Theorem 110.11 and Proposi- 
tion [1021 

Proof of TheoremUOJl We have C < 1, A > 1, N, Nq > 32, q > max{32, 9 A} 
and K — Clearly, with qNo > qN > 32^ > 18 we get assumption (V). Since 

^ < 4 < 32 and since No > N > ^("+1)^^^-^-^ -^q have assumption (II) for 

N and A^o- The requirement Nq > 8n^{n + 1)N on Nq is assumption (VIII). 



Since A^o > A^ > max{8n - 2, n("-i)/22"+i - 2} • + u> max 



■in 



2^„(n-i)/22n+i _ 2} • + ^ > ^c havc assumptions (III) for A^ 

and A^o as well as assumption (VI), and as A^ > ^ + > 9n(^ + -^^) 

we get assumption (VIIi). Next, q > 9 A > 9 yields assumption (II) for q. 
The third condition on q yields assumption (IVi) using the bound i^(A) < 
i„(n+i)/2_^^(AI^ rpj^^^ bound follows by Theorem 7.9 in |MG02) . stating that 

2 



v{A) < ^A„(A), and from 



A„(A)<n"/^ J_ff) <n"/^ 



det(A) 



nr=7A.(A)- Ai(A)«-i 

by Minkowski's second theorem jMG02[ Theorem 1.5]. 

The condition on L ensures that assumption (I), i.e. the hypotheses of Corol- 
lary 14.31 are satisfied. Hence, if s S 5 is uniformly picked, with probability at 
least 1/2 we have H^"'^{1/{2NL)) D G{s) = 0, which guarantees that we can 
compute the function / for all u £ V exactly using A3). 

Note that k = ^ yields c — cos^(7r(i -I- + 2/tn)) > cos^(7ri||i|) > 

0.00746 as gA^ > 32^. Combining this with the bounds in Section [8.1.31 vields 
the lower bound 

cos(7rg|i|)^"+^ ^ 1.239665-1.54587777" 



> 
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for the probability that 2n + 1 runs of the quantum algorithm (with fixed 
"good" s) yield a generating set of A*; here, p* > {]Xl=2 C(«)~^ - j) ' nr=i^(l " 
2"0 > (C - i) ■ 0.289 > 0.184 • i (compare Equation © on page|3l]). This has 
to be multiplied by 1/2 for the above mentioned probability that a uniformly 
chosen s€ S yields i?g"'^(l/(2iVi)) n G(s) = 0. 

In the context of Corollarv l9.121 we can bound a by ^/nbo — ^/nuNo — < 
g^iVo, and fc = 2n + 1 is the number of generating elements. When using 
Korkine-Zolotarev reduction, we can use / = iV2n + 4. Since L = A*, we see 
that det(L) = (det(A))-i and < A„(A) < "^"^''^^5^ ■ This yields 

^ 137^3/2(1 + A + J^)det(A)^jVo"+i 
^- 6-9"Ai(A)"-i 

Therefore, the algorithm in Section [5] computes a 7-approximate basis of A from 
a ^Jnfig -approximate generating set of 2n + 1 vectors in A* if 

' 19.5"?i"+3/2(l + ^ + ;ir)"A^o '^^""^ det(A)2»+i 



q > max 



19.52"7l2"+3/2(l + A + Jj)2"-liV2"'+3"-3det(A)4 



7 • 39 • 92n^+3n-3^^(A)2n^-3n-l 

But this is satisfied by the fourth and fifth condition on q. □ 

Proof of ProposittonUEM We have C < 1, A > 1, > 32, g > max{32,9A} 
and K — ^. Clearly, with qN > 32^ > 18 we get assumption (V). The second 
and third assumption on N yield the A^-part of assumption (II), the fourth 
yields assumption (III) and (VII2) and the fifth yields assumption (VI2). The 
second assumption on q yields the g-part of assumption (II) , and the third part 
yields assumption (IV2). Note that Ai(A) = det(A) and z^(A) = ^ det(A). 

Note that K= ^ yields c = cos^ {7r{\ + j^+2Kn)) >cos2(7ri|§|) > 0.00746 
as qN > 32^. Combining this with the bounds in Section [5^ yields the lower 
bound 

1 4(- 17417 \ 

_!_^2 2^2 2 \ " 36864 j 

48 - 48 • 92 

for the probability that two runs of the quantum algorithm (with fixed s) yield a 
generating set of A*. This has to be multiplied by 1/2 for the above mentioned 
probability that a uniformly chosen se S yields H<^"'^{1/{2NL)) n G(s) = 0. 

In the context of Corollary 19.121 we can bound a by ^A^, and fc = 2 is 
the number of generating elements. Since in dimension one, one can reduce 
perfectly, we can use / = 1. Since L = A*, we have det(L) — (det(A))~^ and 
Ai(L) = det(L) = (det(A))^^. Using this, the algorithm in Section [9] computes 
a 7-approximate basis of A from a ^-approximate generating set of two vectors 
in A* if 

^ 19-5 ,.2 1 det(A)1 
q > -p-^ det(A)3 • max |l, 
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But this is satisfied by the last condition on q. 

List of assumptions 



□ 
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Page 


Can be found in 


(I) 


m 


Corollary im 


L > 4nC(.+A+C+2)" ^^^^ ^ < 


(11) 


m 


Corollary O 


q>9 max{l, A} and > max{ \ , } 


(III) 


m 


Proposition 15.41 


AT ^ 

- Ai(A) 


(IV) 


m 


Proposition 15.41 


g > 2ni.(A) + f 


(IVi) 


m 


Section 18.1.31 




q> 


^ +4n(n+ l)iy(A) 


(IV2) 


m 


Section [Q 


9> f +4det(A) 


(V) 


m 


Proposition 16.11 


^ 8n 4nqN 


(VI) 


m 


Lemma 18.11 


A^ > i (max{8n - 2, r.("-i)/2 • 2"+i - 2} • ^ + ^) 


(VI2) [36] 


Section [Q 




(VII) 


m 


Lemma 18.11 


kV29 + Ai(A)/ 


(VIIi) 


m 


Section 18.1.31 


- K\q ^ Xi{A)) 


(VII2) 


m 


Section lO 


- K Vg ^ dot(A)y 


(VIII) 


m 


Lemma 18.21 


A"o > 8n'^{n + l)N 
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